I have never seen such a virus as advance as Conficker. It is the combination of the best features of all the viruses in the wild. This is one heck of a virus maker. Let me list of some of its features:
It uses 4096 bit RSA Encryption. 1024 bit RSA Encryption already very very hard to break. The virus makers actually went one step ahead! It is already reported by a lot of anti-virus vendors that strong encryption is usually missing in malwares or at least incorrectly implemented, making the virus completely useless eventually.
It also borrow high quality codes from OpenSSL. OpenSSL is an open source project and very well tested. Very smart of the author, since most virus fail because of their author writing their own codes that is not widely tested.
The author also uses it's own psuedo-random number generator. Looks like this guy has a lot of coding experience.
The design concept of the virus is resistant to reverse engineering. Such resistance requires an up-to-date state-of-the-art knowledge.
The virus can detect whether the machine is physical or virtual.
The virus is double packed binaries. Compressed and encrypted.
Has thread injection capabilities.
Memory image of the virus does not contain a valid PE header and does not import table that hampers dumping.
Spreads through internet and external devices like thumbdrives. If the system it is trying to infect is password protected, it will initiate brute force attack. This significantly increase network traffic.
Contacts over 50 000 websites across 110 top-level domains, to download its own virus updates.
Is able to named pipe to tell other infected computers in the network that a particular website has a valid virus update.
Is able to create ad-hoc peer-to-peer network to give and receive virus update to and from a lot of internet audience. Infecting better and more than the number of audience in named pipe infection and even possibly website updates. This part of the code is heavily obfuscated so even the white-hat community has a hard time figuring out how this works. But they have observed large-scale UDP scanning to build up a peer list of other infected computers. They also observe a lot of TCP connections for subsequent transfers of virus updates. Port numbers are also hashed from IP addresses of each peer.
Blocks all major anti-virus websites, security related websites and Microsoft.
Blocks Windows updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services.
I just remembered that yesterday is April Fool =.="
No comments:
Post a Comment